The HTTP referrer can’t be trusted. The same goes for all the other HTTP headers. Why can’t you trust them? Because they are user inputs.
If you want to spoof your own browsers HTTP header you can simply edit them on the fly with a plugin or extension. Or you could create an HTTP connection using a programming language.
Maybe you thought referrer checking prevents csrf attacks? A simple meta refresh blanks out the referrer:
<meta http-equiv="refresh" content="0;url=http://attacker/CSRF.html">